Light Dark
November 4, 2014 By Shane Schick 2 min read

Most people probably like to go to work under the assumption that their website wasn’t hacked, but representatives of the Drupal content management system (CMS) say those who failed to immediately patch a critical vulnerability were likely compromised.

A prepared statement on Drupal.org details the nature of the vulnerability, which takes the form of a SQL injection flaw that allows automated attacks to hit sites that use the CMS. The vulnerability was discovered in mid-October, and though a patch was released, attackers likely targeted sites in less than eight hours, Threatpost reported.

Ironically, the CVE-2014-3704 vulnerability was specifically intended to thwart SQL injection attacks, in which malicious software code is used to gain access to a database. CSO Online said attackers were able to take advantage of unpatched Drupal sites to steal information and even take them over entirely. Like Heartbleed, which affected untold numbers of websites around the world, Drupal is largely looked over by a team of about 40 volunteers, CSO Online noted. This lack of resources may explain why the issue was initially disclosed in a public bug-tracking report from last year.

The potential impact of attacks on Drupal websites could be wide-ranging. The Web Host Industry Review noted an estimated 24 percent of .gov websites use the CMS, but it has been adopted far beyond the public sector as well. At this point, experts are suggesting that upgrading to Version 7.3 or applying the patch will not be enough and that users should assume their site has been infiltrated.

Instead, ZDNet and others shared an eight-point response plan that website administrators should pursue. The steps included taking sites offline and replacing them with a temporary HTML page, moving to a new server or removing files from the old server for analysis and restoring to backup versions of the site from before Oct. 14, 2014.

This last point is hugely important because, as PCWorld and others reported, attackers may have tried to cover their tracks by first compromising Drupal sites and then applying the patch themselves to prevent others from breaking in. In other words, even if a site looks like it’s already safe, it’s probably not.

If the site is hosted by a third party, administrators of other websites managed by the same service provider should also be notified. In fact, eWEEK interviewed sources that suggested it was service providers who played a key role in revealing the extent of the danger and recording details about some of the first attacks.

Image Source: Flickr

 |  |  | 
Shane Schick
Writer & Editor

More from

May 6, 2024

Evolving red teaming for AI environments

2 min read - As AI becomes more ingrained in businesses and daily life, the importance of security grows more paramount. In fact, according to the IBM Institute for Business Value, 96% of executives say adopting generative AI (GenAI) makes a security breach likely in their organization in the next three years. Whether it’s a model performing unintended actions, generating misleading or harmful responses or revealing sensitive information, in the AI era security can no longer be an afterthought to innovation.AI red teaming is emerging…

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature